Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

74cms Remote Code Execution Vulnerability

  • Vulnerability Type :
    Remote Code Execution
  • Vulnerability Version :
    74CMS < 6.0.48
  • Recurring environment:
    Windows 10
    PHP 5.4.5
    Apache 2.4.23
  • Vulnerability analysis
    Vulnerability file:in /Application/Common/Controller/BaseController.class.php used assign_resume_tpl method.
    image

in /ThinkPHP/Library/Think/View.class.php
image

To view a profile: /ThinkPHP/Conf/convention.php
image

The think template is enabled
image

follow-up file: /ThinkPHP/Library/Think/Hook.class.php
image

Hook configuration file: /ThinkPHP/Mode/common.php
image

It depends on the implementation of run method,in /ThinkPHP/Library/Behavior/ParseTemplateBehavior.class.php
image

The fetch() method was called
image

in /ThinkPHP/Library/Think/Template.class.php
image

Enter compiler method,in /ThinkPHP/Library/Think/Template.class.php
image

Returns the loadtemplate method
image

in /ThinkPHP/Library/Think/Storage/Driver/File.class.php
image

  • Recurrence:
    First register an ordinary user at the front desk, and then update your resume:
    image

After the resume is updated, upload photos:
image

After uploading the image horse, the image address will be generated:
image

Copy the path and call assign through the a method_ resume_ TPL function, and then submit the path through post:
image

Picture Trojan content:
image